Home Features Process Services Run a Free Health Check
The Complete Audit Matrix
Full transparency into exactly what we analyze during your AWS security and cost-optimization consultation. 131 deep technical checks across 14 infrastructure categories.
IAM & Access Control
11 Dedicated Checks
Identity and Access Management is the foundation of AWS security. These checks verify that user accounts, roles, and policies follow the principle of least privilege.
P0 Root account security (MFA + access keys)
iam:GetAccountSummary
What We Verify
Checks if root account has MFA enabled and has no programmatic access keys.
Risk Output
Root has unrestricted access. Without MFA, a stolen password compromises your entire AWS account. Root access keys provide unrestricted API access.
P0 IAM users with console access have MFA
iam:ListMFADevices
What We Verify
Verifies all IAM users who can log into the AWS console have MFA configured.
Risk Output
Users without MFA can be compromised via password theft, phishing, or brute-force attacks.
P0 Access keys older than 90 days
iam:ListAccessKeys
What We Verify
Finds all active access keys that haven't been rotated in 90+ days.
Risk Output
Old keys increase exposure window. If leaked (Git commit, logs, screenshots), attackers have prolonged access.
P0 Password policy compliance
iam:GetAccountPasswordPolicy
What We Verify
Checks if password policy enforces minimum length (14+), complexity, and expiry.
Risk Output
Weak passwords are easily guessed. No expiry means compromised passwords remain valid forever.
P0 IAM users with admin access (*:*)
iam:ListAttachedUserPolicies
What We Verify
Identifies IAM users who have full administrator access (Action: *, Resource: *).
Risk Output
Admin users can do anything — delete databases, modify security groups, access all data. Limit to minimum needed.
P1 IAM policies with wildcard resources
iam:GetPolicyVersion
What We Verify
Finds custom IAM policies that grant access to all resources (Resource: *).
Risk Output
Wildcard resource policies violate least privilege. A role meant for one S3 bucket gets access to all buckets.
P1 Unused IAM users (no login > 90 days)
iam:GenerateCredentialReport
What We Verify
Identifies IAM users who haven't logged in or used access keys in 90+ days.
Risk Output
Dormant accounts are attack targets. Former employees or unused service accounts may still have valid credentials.
P1 Cross-account role trust policies
iam:GetRole
What We Verify
Reviews IAM role trust policies for external account access.
Risk Output
Misconfigured trust policies may allow unknown AWS accounts to assume roles in your environment.
P1 IAM credential report analysis (unused keys)
iam:GenerateCredentialReport
What We Verify
Comprehensive analysis of all IAM credentials — passwords, keys, MFA status. Finds access keys that were never used.
Risk Output
Provides a complete picture of credential hygiene. Unused keys are forgotten credentials waiting to be compromised.
P1 IAM Access Analyzer findings
accessanalyzer:ListAnalyzers
What We Verify
Checks if IAM Access Analyzer is enabled and reviews any external access findings.
Risk Output
Access Analyzer identifies resources shared outside your account that you may not be aware of.
P1 IAM inline policies on users
iam:ListUserPolicies
What We Verify
Finds IAM users with inline policies instead of managed policies.
Risk Output
Inline policies are harder to audit, version, and manage consistently. They bypass centralized policy controls.
S3 Storage Security
8 Dedicated Checks
Amazon S3 stores critical business data. These checks ensure buckets are not publicly accessible and data is encrypted at rest.
P0 S3 public access block enabled
s3:GetPublicAccessBlock
What We Verify
Checks if all four public access block settings are enabled per bucket.
Risk Output
Without public access block, bucket policies or ACLs could accidentally expose data to the internet.
P0 S3 account-level public access block
s3control:GetPublicAccessBlock
What We Verify
Verifies account-level S3 public access block is enabled (overrides all bucket settings).
Risk Output
Account-level block prevents ANY bucket from being made public, even by mistake.
P0 S3 bucket encryption (SSE) enabled
s3:GetBucketEncryption
What We Verify
Checks if default encryption is enabled on all S3 buckets.
Risk Output
Unencrypted data at rest is exposed if AWS storage is physically compromised or access controls fail.
P0 S3 bucket policy allows public access
s3:GetBucketPolicy
What We Verify
Analyzes bucket policies for statements that allow public (Principal: *) access without conditions.
Risk Output
Misconfigured policies indicate data is intentionally or accidentally shared publicly.
P1 S3 bucket versioning enabled
s3:GetBucketVersioning
What We Verify
Checks if versioning is enabled to protect against accidental deletion.
Risk Output
Without versioning, deleted or overwritten files are gone forever. No recovery possible.
P1 S3 bucket logging enabled
s3:GetBucketLogging
What We Verify
Verifies access logging is enabled for audit trails.
Risk Output
Without logging, you can't track who accessed what data or detect unauthorized access.
P1 S3 SSL/TLS enforced (deny HTTP)
s3:GetBucketPolicy
What We Verify
Checks if bucket policy enforces HTTPS-only access.
Risk Output
HTTP transfers are unencrypted. Data in transit can be intercepted.
P2 S3 MFA delete on versioned buckets
s3:GetBucketVersioning
What We Verify
Checks if MFA delete is required to permanently delete versioned objects.
Risk Output
Without MFA delete, a compromised admin can permanently destroy all data versions.
EC2 & Network Security
13 Dedicated Checks
EC2 instances and network configuration are the backbone of your infrastructure. These checks identify exposed services and network misconfigurations.
P0 Security groups with SSH/RDP/ALL open to 0.0.0.0/0
ec2:DescribeSecurityGroups
What We Verify
Finds security groups allowing SSH (22), RDP (3389), or all traffic from any IP address.
Risk Output
Any attacker on the internet can attempt brute-force or exploit vulnerabilities on open ports.
P1 Default VPC in use
ec2:DescribeVpcs
What We Verify
Checks if production resources run in the default VPC.
Risk Output
Default VPCs have permissive settings. Custom VPCs allow proper network segmentation.
P0 EC2 IMDSv2 enforced
ec2:DescribeInstances
What We Verify
Checks if EC2 instances require IMDSv2 (token-based metadata service).
Risk Output
IMDSv1 is vulnerable to SSRF attacks. The Capital One breach exploited this exact weakness.
P0 EBS snapshots not public
ec2:DescribeSnapshotAttribute
What We Verify
Ensures no EBS snapshots are shared publicly.
Risk Output
Public snapshots expose disk contents including credentials, databases, and source code.
P1 AMIs not shared publicly
ec2:DescribeImageAttribute
What We Verify
Ensures custom AMIs are not publicly shared.
Risk Output
Public AMIs expose your server configurations, installed software, and potentially embedded credentials.
P1 EC2 instances with public IPs in private subnets
ec2:DescribeInstances + DescribeRouteTables
What We Verify
Identifies instances that have public IPs but shouldn't based on subnet design.
Risk Output
Unnecessary public exposure increases attack surface.
P1 VPC Flow Logs enabled
ec2:DescribeFlowLogs
What We Verify
Checks if VPC Flow Logs are configured for network traffic monitoring.
Risk Output
Without flow logs, network-based attacks go undetected. Required for forensics and compliance.
P1 Network ACLs allowing unrestricted access
ec2:DescribeNetworkAcls
What We Verify
Reviews NACLs for overly permissive inbound rules (all traffic from 0.0.0.0/0).
Risk Output
NACLs are your second layer of defense. Permissive NACLs negate security group restrictions.
P2 Unused security groups
ec2:DescribeSecurityGroups + DescribeNetworkInterfaces
What We Verify
Finds security groups not attached to any resource.
Risk Output
Unused security groups clutter the environment and may be accidentally attached later with permissive rules.
P2 Elastic IPs not associated (cost waste)
ec2:DescribeAddresses
What We Verify
Finds Elastic IPs not attached to any resource (charged by AWS).
Risk Output
Unused EIPs cost $3.65/month each and indicate orphaned resources.
P1 EC2 instances managed by SSM
ssm:DescribeInstanceInformation
What We Verify
Checks if running EC2 instances are managed by AWS Systems Manager.
Risk Output
Instances without SSM cannot be remotely patched or managed. Security patches must be applied manually.
P1 Security groups with unrestricted egress
ec2:DescribeSecurityGroups
What We Verify
Finds non-default security groups allowing all outbound traffic to 0.0.0.0/0.
Risk Output
Unrestricted egress allows compromised instances to freely exfiltrate data to any destination.
P1 Unattached EBS volumes (cost waste)
ec2:DescribeVolumes
What We Verify
Finds EBS volumes not attached to any EC2 instance.
Risk Output
You're paying for storage nobody is using. Typical savings: $10-50/month per volume.
Logging & Monitoring
12 Dedicated Checks
Logging and monitoring provide visibility into your AWS environment. Without them, security incidents go undetected.
P0 CloudTrail enabled and logging
cloudtrail:DescribeTrails
What We Verify
Verifies at least one CloudTrail trail is active and logging API calls.
Risk Output
Without CloudTrail, you have no record of who did what in your AWS account. Critical for compliance and forensics.
P0 GuardDuty enabled
guardduty:ListDetectors
What We Verify
Checks if Amazon GuardDuty ML-based threat detection is enabled.
Risk Output
GuardDuty detects compromised instances, unauthorized access, crypto-mining, and malicious activity. Without it, threats go unnoticed.
P1 CloudTrail log file validation
cloudtrail:DescribeTrails
What We Verify
Checks if log file integrity validation is enabled.
Risk Output
Without validation, attackers who gain access can modify logs to cover their tracks.
P1 CloudTrail logs encrypted with KMS
cloudtrail:DescribeTrails
What We Verify
Verifies CloudTrail logs are encrypted using KMS keys.
Risk Output
Unencrypted logs can be read by anyone with S3 access, exposing API activity details.
P1 CloudTrail multi-region enabled
cloudtrail:DescribeTrails
What We Verify
Checks if CloudTrail covers all AWS regions, not just one.
Risk Output
Attackers can launch resources in regions you're not monitoring to avoid detection.
P1 CloudWatch Log Group retention set
logs:DescribeLogGroups
What We Verify
Checks if log groups have retention periods configured (not infinite).
Risk Output
Infinite retention increases costs. No retention means logs disappear. Both are bad.
P0 CloudWatch alarm for root account usage
cloudwatch:DescribeAlarms + logs:DescribeMetricFilters
What We Verify
Checks if an alarm exists to alert when the root account is used.
Risk Output
Root account usage should be extremely rare. Any usage could indicate compromise. CIS Benchmark 3.3.
P1 CloudWatch alarm for unauthorized API calls
logs:DescribeMetricFilters
What We Verify
Checks for alarms on AccessDenied or UnauthorizedAccess events.
Risk Output
Repeated unauthorized API calls indicate someone probing your account. CIS 3.1.
P1 AWS Config enabled
config:DescribeConfigurationRecorders
What We Verify
Checks if AWS Config is recording resource configurations.
Risk Output
Without Config, you can't track configuration changes or audit compliance over time.
P1 Security Hub enabled
securityhub:DescribeHub
What We Verify
Checks if AWS Security Hub is enabled for centralized security findings.
Risk Output
Security Hub aggregates findings from GuardDuty, Inspector, Macie into one view.
P1 CloudWatch alarm for console login without MFA
logs:DescribeMetricFilters
What We Verify
Alerts when someone logs into console without MFA.
Risk Output
Console login without MFA may indicate compromised credentials. CIS 3.2.
P2 S3 access logging for CloudTrail bucket
s3:GetBucketLogging
What We Verify
Checks if the S3 bucket storing CloudTrail logs has access logging enabled.
Risk Output
Logging on the log bucket detects tampering with your audit trail.
Database Security
11 Dedicated Checks
Databases contain your most sensitive data — customer information, financial records, intellectual property. These checks ensure they are protected.
P0 RDS instances not publicly accessible
rds:DescribeDBInstances
What We Verify
Checks if any RDS database is accessible from the internet.
Risk Output
Public databases are directly attackable. SQL injection, brute-force, and known CVE exploits can be launched from anywhere.
P0 RDS storage encryption enabled
rds:DescribeDBInstances
What We Verify
Verifies all RDS instances have storage encryption.
Risk Output
Unencrypted databases fail compliance requirements and expose data if storage is compromised.
P1 RDS automated backups enabled
rds:DescribeDBInstances
What We Verify
Checks if automated backups are enabled with adequate retention.
Risk Output
Without backups, data loss from accidental deletion or ransomware is permanent.
P1 RDS deletion protection enabled
rds:DescribeDBInstances
What We Verify
Checks if deletion protection prevents accidental database destruction.
Risk Output
Without deletion protection, a single API call or console click can destroy your database.
P0 RDS snapshots not public
rds:DescribeDBSnapshotAttributes
What We Verify
Ensures no RDS snapshots are shared publicly.
Risk Output
Public snapshots expose your entire database contents — customer data, credentials, everything.
P2 RDS multi-AZ for production
rds:DescribeDBInstances
What We Verify
Checks if production databases have Multi-AZ failover.
Risk Output
Single-AZ databases have downtime during maintenance and hardware failures. No automatic failover.
P2 RDS minor version auto-upgrade
rds:DescribeDBInstances
What We Verify
Verifies automatic minor version upgrades are enabled.
Risk Output
Outdated database engines have known security vulnerabilities that will not be automatically patched.
P1 RDS using non-default ports
rds:DescribeDBInstances
What We Verify
Checks if databases use default ports (3306/MySQL, 5432/PostgreSQL, 1521/Oracle, 1433/SQL Server).
Risk Output
Default ports are the first target for automated scanning attacks and port-based exploits.
P1 DynamoDB tables encrypted with KMS CMK
dynamodb:DescribeTable
What We Verify
Checks encryption settings on DynamoDB tables for KMS customer-managed key usage.
Risk Output
Default AWS-owned encryption provides no key control or audit trail. KMS CMK enables compliance.
P1 DynamoDB point-in-time recovery enabled
dynamodb:DescribeContinuousBackups
What We Verify
Verifies PITR is enabled for data recovery to any second in 35 days.
Risk Output
Without PITR, accidental data deletion is permanent and unrecoverable.
P1 ElastiCache encryption in transit & at rest
elasticache:DescribeReplicationGroups
What We Verify
Checks if Redis/Memcached connections and storage are encrypted.
Risk Output
Unencrypted cache traffic can expose session tokens, passwords, and PII.
Encryption & Data Protection
10 Dedicated Checks
Encryption protects data at rest and in transit. These checks ensure proper key management and encryption across all services.
P0 EBS volumes encrypted
ec2:DescribeVolumes
What We Verify
Checks if all EBS volumes have encryption enabled.
Risk Output
Unencrypted EBS volumes expose data if physical storage is compromised or snapshots are shared.
P1 EBS default encryption enabled
ec2:GetEbsEncryptionByDefault
What We Verify
Checks if account-level default EBS encryption is turned on.
Risk Output
Without default encryption, new volumes created without specifying encryption will be unencrypted.
P1 KMS key rotation enabled
kms:GetKeyRotationStatus
What We Verify
Verifies automatic annual key rotation for customer-managed KMS keys.
Risk Output
Without rotation, a compromised key provides indefinite access to encrypted data.
P0 ACM certificates expiring within 30 days
acm:ListCertificates + DescribeCertificate
What We Verify
Finds SSL/TLS certificates that expire within 30 days.
Risk Output
Expired certificates cause service outages and security warnings for customers.
P1 KMS keys scheduled for deletion
kms:ListKeys + DescribeKey
What We Verify
Identifies KMS keys pending deletion that may still be needed.
Risk Output
Deleted KMS keys make all data encrypted with that key permanently inaccessible.
P2 SNS topics encrypted
sns:GetTopicAttributes
What We Verify
Checks if SNS topics use server-side encryption.
Risk Output
Unencrypted SNS messages may contain sensitive notification data.
P2 SQS queues encrypted
sqs:GetQueueAttributes
What We Verify
Checks if SQS queues use server-side encryption.
Risk Output
Unencrypted queue messages may contain sensitive business data.
P1 EFS file systems encrypted
efs:DescribeFileSystems
What We Verify
Checks if Elastic File System volumes are encrypted.
Risk Output
Shared file systems often contain sensitive documents and application data.
P1 Secrets Manager rotation enabled
secretsmanager:ListSecrets
What We Verify
Checks if secrets have automatic rotation configured.
Risk Output
Static secrets that never rotate increase compromise risk over time.
P1 ACM certificate key strength
acm:DescribeCertificate
What We Verify
Checks if ACM certificates use RSA-2048 or stronger key algorithms.
Risk Output
Key length below 2048 bits is considered insecure and can be brute-forced.
Lambda & Serverless
8 Dedicated Checks
Serverless functions run with IAM roles and can access your entire AWS environment. These checks ensure Lambda functions follow security best practices.
P0 Lambda functions with admin IAM roles
lambda:ListFunctions + iam:ListAttachedRolePolicies
What We Verify
Finds Lambda functions whose execution role has administrator or wildcard permissions.
Risk Output
A compromised or buggy Lambda with admin access can read/write/delete any resource in your entire account.
P0 Lambda functions with public access
lambda:GetPolicy
What We Verify
Checks if Lambda resource policies allow invocation from any AWS account (Principal: *).
Risk Output
Public Lambda functions can be invoked by anyone, triggering data access or massive compute costs.
P1 Lambda using deprecated runtimes
lambda:ListFunctions
What We Verify
Identifies Lambda functions running on end-of-life runtimes (Python 3.7, Node 14, etc.).
Risk Output
Deprecated runtimes no longer receive security patches for known vulnerabilities.
P0 Lambda environment variable secrets
lambda:GetFunction
What We Verify
Scans Lambda environment variables for hardcoded secrets, API keys, passwords, or tokens.
Risk Output
Environment variables are visible in the console and API. Secrets should be stored in Secrets Manager.
P2 Lambda without DLQ configured
lambda:GetFunctionConfiguration
What We Verify
Checks if Dead Letter Queues are configured for async invocations.
Risk Output
Without DLQ, failed invocations are silently lost with no retry, alerting, or debugging capability.
P2 Lambda concurrency limits set
lambda:GetFunctionConcurrency
What We Verify
Checks if Lambda functions have reserved concurrency limits configured.
Risk Output
Runaway functions can consume all account concurrency, causing other functions to throttle and fail.
P1 API Gateway with WAF attached
apigateway:GetRestApis + wafv2
What We Verify
Checks if API Gateway endpoints have AWS WAF protection.
Risk Output
Unprotected APIs are vulnerable to SQL injection, XSS, and DDoS attacks.
P1 API Gateway SSL/TLS minimum version
apigateway:GetDomainNames
What We Verify
Verifies API Gateway enforces TLS 1.2 minimum on custom domains.
Risk Output
TLS 1.0 and 1.1 have known vulnerabilities that can be exploited for data interception.
Cost & Waste Detection
15 Dedicated Checks
These checks identify resources you're paying for but not using. Every finding here is money you can save immediately.
P1 Idle EC2 instances (< 5% avg CPU)
cloudwatch:GetMetricStatistics
What We Verify
Identifies EC2 instances with consistently low CPU utilization over 14 days.
Risk Output
Idle instances are wasting money. Consider downsizing, stopping, or terminating.
P2 Old EBS snapshots (> 180 days)
ec2:DescribeSnapshots
What We Verify
Finds EBS snapshots older than 6 months with estimated cost.
Risk Output
Old snapshots accumulate costs and may contain outdated sensitive data.
P1 NAT Gateway inventory & cost
ec2:DescribeNatGateways
What We Verify
Inventories active NAT Gateways and calculates monthly cost.
Risk Output
NAT Gateways cost $32/month minimum plus data processing charges even with minimal traffic.
P1 Unused load balancers (zero targets)
elbv2:DescribeTargetGroups + DescribeTargetHealth
What We Verify
Finds ALBs/NLBs with no registered or healthy targets.
Risk Output
Empty load balancers cost $16-23/month with no benefit.
P2 Oversized EC2 instances (Compute Optimizer)
compute-optimizer:GetEC2InstanceRecommendations
What We Verify
Identifies instances that can be downsized based on actual usage patterns.
Risk Output
Over-provisioned instances waste money. A m5.2xlarge at $280/mo may only need a t3.medium at $30/mo.
P1 EBS gp2 to gp3 Migration
ec2:DescribeVolumes
What We Verify
Scans for older general-purpose gp2 volumes.
Risk Output
Older gp2 volumes cost 20% more than gp3 and offer lower baseline performance.
P1 S3 Incomplete Multipart Uploads
s3:GetBucketLifecycleConfiguration
What We Verify
Finds S3 buckets that don't have a lifecycle rule to clean up failed/incomplete multipart uploads.
Risk Output
Failed uploads are invisible in the console but you are billed for their storage indefinitely.
P0 S3 Versioning Waste
s3:GetBucketLifecycleConfiguration
What We Verify
Flags buckets with versioning enabled but no rules to delete or transition non-current versions.
Risk Output
Over time, edits to files will cause storage bins to balloon in cost.
P1 Orphaned AMIs
ec2:DescribeImages
What We Verify
Finds old, unused Amazon Machine Images (AMIs) older than 1 year.
Risk Output
AMIs store an underlying EBS snapshot, meaning every unused AMI on your account is costing you storage money.
P0 Idle RDS Instances
cw:GetMetricStatistics
What We Verify
Monitors RDS databases that have had 0 active connections for the past 7 days.
Risk Output
Running databases with no connections cost hundreds of dollars and provide zero value.
P1 Legacy Generation Instances
ec2:DescribeInstances
What We Verify
Flags EC2 instances using older generation hardware (T2, M4, C4).
Risk Output
Newer generations are functionally identical but cost 10-20% less and offer better performance.
P2 Idle DynamoDB Tables
dynamodb:ListTables
What We Verify
Detects tables with zero read/write capacity usage over the past 30 days.
Risk Output
Unused provisioned tables generate fixed hourly costs for no reason.
P0 Cost Anomaly Detection Disabled
ce:GetAnomalyMonitors
What We Verify
Verifies whether the account has AWS Cost Anomaly Detection enabled.
Risk Output
Without anomaly detection, crypto-mining hacks can generate massive bills before you notice.
P1 Idle Database Clusters
redshift:DescribeClusters
What We Verify
Checks for expensive Redshift or ElastiCache clusters with no connections.
Risk Output
These clusters are very expensive and should not be left idle.
P0 Overprovisioned IOPS
ec2:DescribeVolumes
What We Verify
Checks if provisioned IOPS (io1/io2 volumes) are actually necessary compared to gp3.
Risk Output
Provisioned IOPS volumes are incredibly expensive.
Containers & EKS
7 Dedicated Checks
Container security ensures your Docker images, ECS tasks, and EKS clusters are properly configured and hardened.
P1 ECR image scan on push enabled
ecr:DescribeRepositories
What We Verify
Checks if ECR repositories automatically scan images for vulnerabilities on push.
Risk Output
Deploying unscanned images may introduce known CVEs into production.
P0 ECR repositories not public
ecr-public:DescribeRepositories
What We Verify
Ensures no ECR repositories are publicly accessible.
Risk Output
Public repositories expose your container images, application code, and potentially embedded secrets.
P1 ECS tasks not running as root
ecs:DescribeTaskDefinition
What We Verify
Checks if ECS task definitions specify non-root user execution.
Risk Output
Root containers can potentially escape to the host system in certain configurations.
P1 ECS tasks not using host network mode
ecs:DescribeTaskDefinition
What We Verify
Checks if ECS tasks use host network mode which shares the host's network namespace.
Risk Output
Host network mode breaks container network isolation. Containers can sniff all host network traffic.
P0 EKS cluster endpoint not public
eks:DescribeCluster
What We Verify
Checks if EKS API server endpoint is accessible from the internet.
Risk Output
Public EKS endpoints allow anyone to attempt authentication against your Kubernetes cluster.
P1 EKS cluster logging enabled
eks:DescribeCluster
What We Verify
Verifies EKS control plane logging is enabled for all log types.
Risk Output
Without logging, Kubernetes API activity and authentication events are not recorded.
P1 EKS running supported Kubernetes version
eks:DescribeCluster
What We Verify
Checks if EKS clusters are running a supported Kubernetes version (1.28+).
Risk Output
Old Kubernetes versions have known security vulnerabilities and lose AWS support.
Compliance & Governance
10 Dedicated Checks
Governance checks ensure your AWS organization follows best practices for account structure, billing, and compliance frameworks.
P1 AWS Organizations SCP configured
organizations:ListPolicies
What We Verify
Checks if custom Service Control Policies are in place to enforce guardrails.
Risk Output
Without SCPs, individual accounts can bypass organizational security policies.
P1 Billing alerts configured
cloudwatch:DescribeAlarms
What We Verify
Checks if billing alarms are set up to prevent cost surprises.
Risk Output
Without billing alerts, a misconfiguration or crypto-mining attack can run up massive charges before anyone notices.
P2 Tagging policy enforcement
resourcegroupstaggingapi:GetResources
What We Verify
Checks if resources follow organizational tagging standards (Environment, Owner, Project).
Risk Output
Untagged resources can't be tracked for cost allocation, ownership, or compliance.
P2 Account alternate contacts configured
account:GetAlternateContact
What We Verify
Checks if billing, operations, and security contacts are set.
Risk Output
Without alternate contacts, critical AWS notifications may not reach the right people.
P2 AWS Support plan level
support:DescribeTrustedAdvisorChecks
What We Verify
Identifies the current AWS support plan level.
Risk Output
Basic support has no access to technical support or full Trusted Advisor checks.
P1 Trusted Advisor recommendations
support:DescribeTrustedAdvisorCheckResult
What We Verify
Pulls and analyzes AWS Trusted Advisor security findings.
Risk Output
Trusted Advisor identifies security, performance, and cost issues automatically that need attention.
P1 CIS AWS Foundations Benchmark mapping
N/A (analysis)
What We Verify
Maps all scanner findings to CIS AWS Foundations Benchmark v1.5 controls (24 controls).
Risk Output
CIS Benchmark is the industry standard for AWS security. Mapping provides compliance evidence.
P1 SOC2 Trust Criteria mapping
N/A (analysis)
What We Verify
Maps findings to SOC2 Trust Service Criteria (CC6, CC7, CC8).
Risk Output
SOC2 compliance is required by most enterprise customers. This mapping accelerates audit preparation.
P1 ISO 27001 Annex A mapping
N/A (analysis)
What We Verify
Maps findings to ISO 27001 Annex A control areas (A.9, A.10, A.12, A.13, A.14, A.18).
Risk Output
ISO 27001 certification requires demonstrating control implementation. This provides evidence.
P1 PCI-DSS requirement mapping
N/A (analysis)
What We Verify
Maps findings to PCI-DSS requirements (Req 1, 2, 3, 7, 8, 10).
Risk Output
PCI-DSS is mandatory for handling credit card data. Non-compliance can result in fines.
CDN & Edge Security
7 Dedicated Checks
CloudFront and Route53 protect your internet-facing assets and content delivery networks.
P1 CloudFront HTTP allowed
cloudfront:GetDistribution
What We Verify
Checks if Viewer Protocol Policy allows HTTP instead of enforcing HTTPS.
Risk Output
Data in transit is not fully encrypted and can be intercepted.
P1 CloudFront WAF missing
cloudfront:GetDistribution
What We Verify
Checks if a Web Application Firewall is associated with the distribution.
Risk Output
Vulnerable to bot attacks, DDoS, and application-layer exploits.
P2 CloudFront missing Default Root Object
cloudfront:GetDistribution
What We Verify
Checks if a default root object (e.g., index.html) is set.
Risk Output
Root URL requests may fail or reveal directory contents.
P1 CloudFront outdated TLS
cloudfront:GetDistribution
What We Verify
Flags distributions accepting deprecated TLSv1 or SSLv3.
Risk Output
Old TLS versions have known vulnerabilities and fail compliance.
P2 Route53 query logging disabled
route53:ListQueryLoggingConfigs
What We Verify
Verifies DNS queries are being logged.
Risk Output
Cannot monitor DNS-level threats or data exfiltration attempts.
P2 Route53 DNSSEC not enabled
route53:GetDNSSEC
What We Verify
Ensures DNSSEC signing is activated.
Risk Output
Vulnerable to DNS spoofing and cache poisoning attacks.
P2 Route53 domains privacy disabled
route53domains:GetDomainDetail
What We Verify
Validates Admin and Registrant privacy are active.
Risk Output
Exposes your contact info to WHOIS scraping.
Advanced Authentication
6 Dedicated Checks
Cognito secures your application users. These checks enforce robust authentication and password policies.
P0 Cognito MFA disabled
cognito-idp:DescribeUserPool
What We Verify
Flags user pools completely disabling Multi-Factor Authentication.
Risk Output
User accounts are vulnerable to credential stuffing and phishing.
P1 Cognito WAF missing
cognito-idp:DescribeUserPool
What We Verify
Checks if an external WAF is shielding the Cognito instance.
Risk Output
Vulnerable to automated login stuffing attacks.
P0 Cognito weak password policy
cognito-idp:DescribeUserPool
What We Verify
Assesses the robustness of the pool's password rules.
Risk Output
Allows weak passwords that can be easily brute-forced.
P1 Cognito deletion protection disabled
cognito-idp:DescribeUserPool
What We Verify
Enforces accidental/malicious deletion lockout on user data.
Risk Output
User pool can be accidentally or maliciously deleted, erasing entire customer database.
P0 Cognito unauthenticated guest identities
cognito-identity:DescribeIdentityPool
What We Verify
Warns if the environment is handing out unauthenticated IAM guest identities.
Risk Output
Unauthenticated users may access AWS resources if IAM roles are too permissive.
P2 Cognito advanced security not enforced
cognito-idp:DescribeUserPool
What We Verify
Suggests activating Cognito's built-in risk-based authentication system.
Risk Output
Misses out on compromised credential checking and risk-based auth.
CI/CD Pipeline Security
5 Dedicated Checks
Protect the CI/CD environment from leaking intellectual property or administrative secrets.
P0 CodeBuild plaintext secrets
codebuild:BatchGetProjects
What We Verify
Scans environment variables for plaintext secrets via regex (e.g., tokens, passwords).
Risk Output
Anyone with visibility into the project can steal hardcoded credentials.
P1 CodeBuild S3 logs unencrypted
codebuild:BatchGetProjects
What We Verify
Validates S3-bound build logs are properly encrypted.
Risk Output
Build logs may contain sensitive intellectual property or tracebacks exposing credentials.
P1 CodeBuild CW logs default key
codebuild:BatchGetProjects
What We Verify
Recommends CMKs for CloudWatch build logs.
Risk Output
CloudWatch build logs are not encrypted with a CMK.
P0 CodeBuild PUBLIC project
codebuild:BatchGetProjects
What We Verify
Identifies projects with PUBLIC_READ access leaking build logs to the internet.
Risk Output
Anyone on the internet can read this project's build logs, fetching source code or variables.
P1 CodeBuild Privileged Mode access
codebuild:BatchGetProjects
What We Verify
Warns about containers running in standard root/privileged mode.
Risk Output
Privileged mode permits container breakout. Avoid unless building Docker images.
Native Security Operations
8 Dedicated Checks
Utilization of AWS' native intelligence platforms (Macie, Inspector) and advanced VPC endpoint networking.
P1 Amazon Macie disabled
macie2:GetMacieSession
What We Verify
Validates that Macie is activated in the region for PII discovery.
Risk Output
PII in S3 buckets goes undiscovered and unprotected.
P1 Macie Automated Discovery disabled
macie2:GetAutomatedDiscoveryConfiguration
What We Verify
Confirms the automated storage PII scanning engine is enabled.
Risk Output
Macie is not automatically checking bucket objects for PII/financial data.
P1 Inspector v2 EC2 scanning disabled
inspector2:ListAccountPermissions
What We Verify
Evaluates whether Inspector v2 continuous CVE scanning is utilized across EC2.
Risk Output
EC2 instances are not continuously monitored for software vulnerabilities/CVEs.
P1 Inspector v2 ECR scanning disabled
inspector2:ListAccountPermissions
What We Verify
Evaluates whether Inspector v2 continuous CVE scanning is utilized across ECR.
Risk Output
Container images are not monitored for vulnerabilities/CVEs before deployment.
P1 VPC lacking S3 Endpoint
ec2:DescribeVpcEndpoints
What We Verify
Ensures internet-bound S3 traffic paths are circumvented via direct VPC Gateway.
Risk Output
S3 traffic routes via public internet (NAT Gateway), causing massive unnecessary bandwidth charges.
P1 VPC lacking DynamoDB Endpoint
ec2:DescribeVpcEndpoints
What We Verify
Ensures internet-bound DynamoDB traffic paths are circumvented via direct VPC Gateway.
Risk Output
Traffic to DynamoDB exits out to the internet, costing money and bypassing internal security controls.
P1 VPC lacking SecretsManager Endpoint
ec2:DescribeVpcEndpoints
What We Verify
Ensures traffic to SecretsManager stays within AWS network.
Risk Output
Fetching secrets from ECS/EC2 relies on internet access.
P0 VPC Endpoint full access policy
ec2:DescribeVpcEndpoints
What We Verify
Warns on highly permissive Principal: * Endpoint policies granting broad access.
Risk Output
Endpoint policy grants allows all traffic to all resources for the service.