Scribd
Upload
334 views2 pages

Extra Checks in Prowler

The document lists over 100 checks for security best practices on AWS services that are not part of the CIS benchmarks. It includes checks to ensure proper logging is enabled for services like S3, Lambda, CloudFront, and others. It also includes checks for open access like public S3 buckets, security groups, or AMIs. Finally it checks for encryption of resources like RDS, EBS, and secrets management.

Uploaded by

maham sabir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
334 views2 pages

Extra Checks in Prowler

The document lists over 100 checks for security best practices on AWS services that are not part of the CIS benchmarks. It includes checks to ensure proper logging is enabled for services like S3, Lambda, CloudFront, and others. It also includes checks for open access like public S3 buckets, security groups, or AMIs. Finally it checks for encryption of resources like RDS, EBS, and secrets management.

Uploaded by

maham sabir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 2

7.

1 [extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS b
7.3 [extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)
7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmar
7.5 [extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)
7.6 [extra76] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)
7.7 [extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)
7.8 [extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)
7.9 [extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)
7.11 [extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)
7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)
7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)
7.15 [extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled
7.16 [extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access
7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)
7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)
7.19 [extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS be
7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of C
7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)
7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchm
7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)
7.26 [extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)
7.27 [extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)
7.28 [extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)
7.30 [extra730] Check if ACM Certificates are about to expire in 7 days or less (Not Scored) (Not part of CIS benchmark)
7.31 [extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)
7.32 [extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)
7.33 [extra733] Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark)
7.34 [extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it (Not Scored) (No
7.35 [extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)
7.36 [extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)
7.37 [extra737] Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)
7.38 [extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)
7.39 [extra739] Check if RDS instances have backup enabled (Not Scored) (Not part of CIS benchmark)
7.40 [extra740] Check if EBS snapshots are encrypted (Not Scored) (Not part of CIS benchmark)
7.41 [extra741] Find secrets in EC2 User Data (Not Scored) (Not part of CIS benchmark)
7.42 [extra742] Find secrets in CloudFormation outputs (Not Scored) (Not part of CIS benchmark)
7.43 [extra743] Check if API Gateway has client certificate enabled to access your backend endpoint (Not Scored) (Not part of
7.44 [extra744] Check if API Gateway has a WAF ACL attached (Not Scored) (Not part of CIS benchmark)
7.45 [extra745] Check if API Gateway endpoint is public or private (Not Scored) (Not part of CIS benchmark)
7.46 [extra746] Check if API Gateway has configured authorizers (Not Scored) (Not part of CIS benchmark)
7.47 [extra747] Check if RDS instances is integrated with CloudWatch Logs (Not Scored) (Not part of CIS benchmark)
7.49 [extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 (Not Scored) (Not
7.50 [extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 (Not Scored) (Not part of C
7.51 [extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 (Not Scored) (Not part of
7.52 [extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 (Not Scored) (Not part of CIS
7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 (Not Score
7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 (Not S
7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 (Not Scored) (Not pa
7.57 [extra757] Check EC2 Instances older than 6 months (Not Scored) (Not part of CIS benchmark)
7.58 [extra758] Check EC2 Instances older than 12 months (Not Scored) (Not part of CIS benchmark)
7.62 [extra762] Find obsolete Lambda runtimes (Not Scored) (Not part of CIS benchmark)
7.63 [extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)
7.65 [extra765] Check if ECR image scan on push is enabled (Not Scored) (Not part of CIS benchmark)
7.67 [extra767] Check if CloudFront distributions have Field Level Encryption enabled (Not Scored) (Not part of CIS benchmark
7.68 [extra768] Find secrets in ECS task definitions variables (Not Scored) (Not part of CIS benchmark)
7.69 [extra769] Check if IAM Access Analyzer is enabled and its findings (Not Scored) (Not part of CIS benchmark)
7.70 [extra770] Check for internet facing EC2 instances with Instance Profiles attached (Not Scored) (Not part of CIS benchma
7.71 [extra771] Check if S3 buckets have policies which allow WRITE access (Not Scored) (Not part of CIS benchmark)
7.72 [extra772] Check if elastic IPs are unused (Not Scored) (Not part of CIS benchmark)
7.73 [extra773] Check if CloudFront distributions are using WAF (Not Scored) (Not part of CIS benchmark)
7.74 [extra774] Ensure credentials unused for 30 days or greater are disabled
7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark)
7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS bench
7.77 [extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark)
7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS
7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports
7.80 [extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled
7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled
7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled
7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available
7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports
7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains
7.91 [extra791] Check if CloudFront distributions are using deprecated SSL protocols
7.92 [extra792] Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)
7.93 [extra793] Check if Elastic Load Balancers have SSL listeners (Not Scored) (Not part of CIS benchmark)
7.94 [extra794] Ensure EKS Control Plane Audit Logging is enabled for all log types
7.95 [extra795] Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled
7.96 [extra796] Restrict Access to the EKS Control Plane Endpoint
7.97 [extra797] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)
7.99 [extra799] Check if Security Hub is enabled and its standard subscriptions
7.100 [extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)

You might also like