Security Hub (AWS Best Practices Standard)

ID
CloudTrail.2
EC2.10
EC2.2
EC2.3
EC2.4
EC2.6
EC2.7
EC2.8
EC2.9
GuardDuty.1
IAM.1
IAM.2
IAM.3
IAM.5
IAM.6
IAM.7
IAM.8
KMS.1
KMS.2
RDS.4
S3.4
S3.5
SSM.1
ACM.1
APIGateway.1
AutoScaling.1
CloudTrail.1
CodeBuild.1
CodeBuild.2
Config.1
DMS.1
DynamoDB.1
DynamoDB.2
DynamoDB.3
EC2.1
EFS.1
EFS.2
ELB.3
ELB.4
ELB.5
ELB.6
ELBv2.1
EMR.1
ES.1
ES.2
ES.3
IAM.4
KMS.3
Lambda.1
Lambda.2
RDS.1
RDS.10
RDS.2
RDS.3
RDS.5
RDS.6
RDS.7
RDS.8
RDS.9
Redshift.1
Redshift.2
Redshift.3
Redshift.6
S3.1
S3.2
S3.3
S3.6
SNS.1
SSM.2
SSM.3
SageMaker.1
SecretsManager.1
SecretsManager.2
 Security Hub (AWS Best Practices Standard)
Title
CloudTrail should have encryption at-rest enabled
Amazon EC2 should be configured to use VPC endpoints
The VPC default security group should not allow inbound and outbound traffic
Attached EBS volumes should be encrypted at-rest
Stopped EC2 instances should be removed after a specified time period
VPC flow logging should be enabled in all VPCs
EBS default encryption should be enabled
EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
EC2 instances should not have a public IPv4 address
GuardDuty should be enabled
IAM policies should not allow full *" administrative privileges"
IAM users should not have IAM policies attached
IAM users' access keys should be rotated every 90 days or less
MFA should be enabled for all IAM users that have a console password
Hardware MFA should be enabled for the root user
Password policies for IAM users should have strong configurations
Unused IAM user credentials should be removed
IAM customer managed policies should not allow decryption actions on all KMS keys
IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys
RDS cluster snapshots and database snapshots should be encrypted at rest
S3 buckets should have server-side encryption enabled
S3 buckets should require requests to use Secure Socket Layer
EC2 instances should be managed by AWS Systems Manager
ACM certificates should be renewed after a specified time period
API Gateway REST and HTTP API logging should be enabled
Auto scaling groups associated with a load balancer should use load balancer health checks
CloudTrail should be enabled and configured with at least one multi-region trail
CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
CodeBuild project environment variables should not contain clear text credentials
AWS Config should be enabled
Database Migration Service replication instances should not be public
DynamoDB tables should automatically scale capacity with demand
DynamoDB tables should have point-in-time recovery enabled
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
EBS snapshots should not be public, determined by the ability to be restorable by anyone
Elastic File System should be configured to encrypt file data at-rest using AWS KMS
Amazon EFS volumes should be in backup plans
Classic Load Balancer listeners should be configured with HTTPS or TLS termination
Application load balancer should be configured to drop http headers
Application and Classic Load Balancers logging should be enabled
Application Load Balancer deletion protection should be enabled
Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
Amazon Elastic MapReduce cluster master nodes should not have public IP addresses
Elasticsearch domains should have encryption at-rest enabled
Amazon Elasticsearch Service domains should be in a VPC
Amazon Elasticsearch domains should encrypt data sent between nodes
IAM root user access key should not exist
AWS KMS keys should not be deleted unintentionally
Lambda function policies should prohibit public access
Lambda functions should use latest runtimes
RDS snapshot should be private
IAM authentication should be configured for RDS instances
RDS DB Instances should prohibit public access, determined by the PubliclyAccessible configuration
RDS DB instances should have encryption at-rest enabled
RDS DB instances should be configured with multiple Availability Zones
Enhanced monitoring should be configured for RDS DB instances
RDS clusters should have deletion protection enabled
RDS DB instances should have deletion protection enabled
Database logging should be enabled
Amazon Redshift clusters should prohibit public access
Connections to Amazon Redshift clusters should be encrypted in transit
Amazon Redshift clusters should have automatic snapshots enabled
Amazon Redshift should have automatic upgrades to major versions enabled
S3 Block Public Access setting should be enabled
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 permissions granted to other AWS accounts in bucket policies should be restricted
SNS topics should be encrypted at-rest using AWS KMS
EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT
Amazon SageMaker notebook instances should not have direct internet access
Secrets Manager secrets should have automatic rotation enabled
Secrets Manager secrets configured with automatic rotation should rotate successfully
Matches in Prowler (Extras)

[extra748]
[extra729]

[extra761]
[extra786]
[extra710]
[extra713]

[extra72]

[extra781]
[extra782]

[extra798]

[extra723]

[extra756]
 Prowler (EXTRAS)

7.1 [extra71] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled (Not Scored) (Not part of CIS b

7.2 [extra72] Ensure there are no EBS Snapshots set as Public (Not Scored) (Not part of CIS benchmark)

7.3 [extra73] Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)

7.4 [extra74] Ensure there are no Security Groups without ingress filtering being used (Not Scored) (Not part of CIS benchmar

7.5 [extra75] Ensure there are no Security Groups not being used (Not Scored) (Not part of CIS benchmark)

7.6 [extra76] Ensure there are no EC2 AMIs set as Public (Not Scored) (Not part of CIS benchmark)

7.7 [extra77] Ensure there are no ECR repositories set as Public (Not Scored) (Not part of CIS benchmark)

7.8 [extra78] Ensure there are no Public Accessible RDS instances (Not Scored) (Not part of CIS benchmark)

7.9 [extra79] Check for internet facing Elastic Load Balancers (Not Scored) (Not part of CIS benchmark)

7.10 [extra710] Check for internet facing EC2 Instances (Not Scored) (Not part of CIS benchmark)

7.11 [extra711] Check for Publicly Accessible Redshift Clusters (Not Scored) (Not part of CIS benchmark)

7.12 [extra712] Check if Amazon Macie is enabled (Not Scored) (Not part of CIS benchmark)

7.13 [extra713] Check if GuardDuty is enabled (Not Scored) (Not part of CIS benchmark)

7.14 [extra714] Check if CloudFront distributions have logging enabled (Not Scored) (Not part of CIS benchmark)

7.15 [extra715] Check if Amazon Elasticsearch Service (ES) domains have logging enabled

7.16 [extra716] Check if Amazon Elasticsearch Service (ES) domains are set as Public or if it has open policy access

7.17 [extra717] Check if Elastic Load Balancers have logging enabled (Not Scored) (Not part of CIS benchmark)

7.18 [extra718] Check if S3 buckets have server access logging enabled (Not Scored) (Not part of CIS benchmark)

7.19 [extra719] Check if Route53 public hosted zones are logging queries to CloudWatch Logs (Not Scored) (Not part of CIS be

7.20 [extra720] Check if Lambda functions invoke API operations are being recorded by CloudTrail (Not Scored) (Not part of C

7.21 [extra721] Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)

7.22 [extra722] Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)
7.23 [extra723] Check if RDS Snapshots and Cluster Snapshots are public (Not Scored) (Not part of CIS benchmark)

7.24 [extra724] Check if ACM certificates have Certificate Transparency logging enabled (Not Scored) (Not part of CIS benchm

7.25 [extra725] Check if S3 buckets have Object-level logging enabled in CloudTrail (Not Scored) (Not part of CIS benchmark)

7.26 [extra726] Check Trusted Advisor for errors and warnings (Not Scored) (Not part of CIS benchmark)

7.27 [extra727] Check if SQS queues have policy set as Public (Not Scored) (Not part of CIS benchmark)

7.28 [extra728] Check if SQS queues have Server Side Encryption enabled (Not Scored) (Not part of CIS benchmark)

7.29 [extra729] Ensure there are no EBS Volumes unencrypted (Not Scored) (Not part of CIS benchmark)

7.30 [extra730] Check if ACM Certificates are about to expire in 7 days or less (Not Scored) (Not part of CIS benchmark)

7.31 [extra731] Check if SNS topics have policy set as Public (Not Scored) (Not part of CIS benchmark)

7.32 [extra732] Check if Geo restrictions are enabled in CloudFront distributions (Not Scored) (Not part of CIS benchmark)

7.33 [extra733] Check if there are SAML Providers then STS can be used (Not Scored) (Not part of CIS benchmark)

7.34 [extra734] Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it (Not Scored) (No

7.35 [extra735] Check if RDS instances storage is encrypted (Not Scored) (Not part of CIS benchmark)

7.36 [extra736] Check exposed KMS keys (Not Scored) (Not part of CIS benchmark)

7.37 [extra737] Check KMS keys with key rotation disabled (Not Scored) (Not part of CIS benchmark)

7.38 [extra738] Check if CloudFront distributions are set to HTTPS (Not Scored) (Not part of CIS benchmark)

7.39 [extra739] Check if RDS instances have backup enabled (Not Scored) (Not part of CIS benchmark)

7.40 [extra740] Check if EBS snapshots are encrypted (Not Scored) (Not part of CIS benchmark)

7.41 [extra741] Find secrets in EC2 User Data (Not Scored) (Not part of CIS benchmark)

7.42 [extra742] Find secrets in CloudFormation outputs (Not Scored) (Not part of CIS benchmark)

7.43 [extra743] Check if API Gateway has client certificate enabled to access your backend endpoint (Not Scored) (Not part of

7.44 [extra744] Check if API Gateway has a WAF ACL attached (Not Scored) (Not part of CIS benchmark)

7.45 [extra745] Check if API Gateway endpoint is public or private (Not Scored) (Not part of CIS benchmark)

7.46 [extra746] Check if API Gateway has configured authorizers (Not Scored) (Not part of CIS benchmark)
7.47 [extra747] Check if RDS instances is integrated with CloudWatch Logs (Not Scored) (Not part of CIS benchmark)

7.48 [extra748] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port (Not Scored) (Not part of CIS benchm

7.49 [extra749] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483 (Not Scored) (Not

7.50 [extra750] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306 (Not Scored) (Not part of C

7.51 [extra751] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432 (Not Scored) (Not part of

7.52 [extra752] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379 (Not Scored) (Not part of CIS

7.53 [extra753] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018 (Not Score

7.54 [extra754] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888 (Not S

7.55 [extra755] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211 (Not Scored) (Not pa

7.56 [extra756] Check if Redshift cluster is Public Accessible (Not Scored) (Not part of CIS benchmark)

7.57 [extra757] Check EC2 Instances older than 6 months (Not Scored) (Not part of CIS benchmark)

7.58 [extra758] Check EC2 Instances older than 12 months (Not Scored) (Not part of CIS benchmark)

7.61 [extra761] Check if EBS Default Encryption is activated (Not Scored) (Not part of CIS benchmark)

7.62 [extra762] Find obsolete Lambda runtimes (Not Scored) (Not part of CIS benchmark)

7.63 [extra763] Check if S3 buckets have object versioning enabled (Not Scored) (Not part of CIS benchmark)

7.65 [extra765] Check if ECR image scan on push is enabled (Not Scored) (Not part of CIS benchmark)

7.67 [extra767] Check if CloudFront distributions have Field Level Encryption enabled (Not Scored) (Not part of CIS benchmark

7.68 [extra768] Find secrets in ECS task definitions variables (Not Scored) (Not part of CIS benchmark)

7.69 [extra769] Check if IAM Access Analyzer is enabled and its findings (Not Scored) (Not part of CIS benchmark)

7.70 [extra770] Check for internet facing EC2 instances with Instance Profiles attached (Not Scored) (Not part of CIS benchma

7.71 [extra771] Check if S3 buckets have policies which allow WRITE access (Not Scored) (Not part of CIS benchmark)

7.72 [extra772] Check if elastic IPs are unused (Not Scored) (Not part of CIS benchmark)
7.73 [extra773] Check if CloudFront distributions are using WAF (Not Scored) (Not part of CIS benchmark)

7.74 [extra774] Ensure credentials unused for 30 days or greater are disabled

7.75 [extra775] Find secrets in EC2 Auto Scaling Launch Configuration (Not Scored) (Not part of CIS benchmark)

7.76 [extra776] Check if ECR image scan found vulnerabilities in the newest image version (Not Scored) (Not part of CIS bench

7.77 [extra777] Find VPC security groups with many ingress or egress rules (Not Scored) (Not part of CIS benchmark)

7.78 [extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS

7.79 [extra779] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports

7.80 [extra780] Check if Amazon Elasticsearch Service (ES) domains has Amazon Cognito authentication for Kibana enabled

7.81 [extra781] Check if Amazon Elasticsearch Service (ES) domains has encryption at-rest enabled

7.82 [extra782] Check if Amazon Elasticsearch Service (ES) domains has node-to-node encryption enabled

7.83 [extra783] Check if Amazon Elasticsearch Service (ES) domains has enforce HTTPS enabled

7.84 [extra784] Check if Amazon Elasticsearch Service (ES) domains internal user database enabled

7.85 [extra785] Check if Amazon Elasticsearch Service (ES) domains have updates available

7.86 [extra786] Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required (Not Scored) (Not part of

7.87 [extra787] Check connection and authentication for Internet exposed Elasticsearch/Kibana ports

7.88 [extra788] Check connection and authentication for Internet exposed Amazon Elasticsearch Service (ES) domains

7.91 [extra791] Check if CloudFront distributions are using deprecated SSL protocols

7.92 [extra792] Check if Elastic Load Balancers have insecure SSL ciphers (Not Scored) (Not part of CIS benchmark)

7.93 [extra793] Check if Elastic Load Balancers have SSL listeners (Not Scored) (Not part of CIS benchmark)

7.94 [extra794] Ensure EKS Control Plane Audit Logging is enabled for all log types

7.95 [extra795] Ensure EKS Clusters are created with Private Endpoint Enabled and Public Access Disabled

7.96 [extra796] Restrict Access to the EKS Control Plane Endpoint

7.97 [extra797] Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)

7.98 [extra798] Check if Lambda functions have resource-based policy set as Public
7.99 [extra799] Check if Security Hub is enabled and its standard subscriptions

7.100 [extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)
Matches In Security hub standards Security Hub CIS Benchmark
ID
CIS.1.10
CIS.1.11
CIS.1.14
EC2.1 CIS.1.16
CIS.1.2
CIS.1.20
CIS.1.22
CIS.1.3
CIS.1.4
CIS.1.7
CIS.1.9
CIS.2.4
CIS.2.7
CIS.2.9
CIS.4.1
CIS.4.2
CIS.4.3
CIS.1.1
CIS.3.1
EC2.9 CIS.3.10
CIS.3.11
CIS.3.12
CIS.3.13
CIS.3.14
CIS.3.2
GuardDuty.1 CIS.3.3
CIS.3.4
CIS.3.5
CIS.3.6
CIS.3.7
CIS.3.8
CIS.3.9
CIS.2.3
CIS.2.6
CIS.1.12
CIS.1.13
CIS.1.5
CIS.1.6
CIS.1.8
CIS.2.1
CIS.2.2
CIS.2.5
CIS.2.8
RDS.1

EC2.3
 EC2.2

Redshift.1

EC2.7
 ES.1

ES.3

EC2.8

Lambda.1
 Security Hub CIS Benchmark
Title
Ensure IAM password policy prevents password reuse
Ensure IAM password policy expires passwords within 90 days or less
Ensure hardware MFA is enabled for the root" account"
Ensure IAM policies are attached only to groups or roles
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
Ensure a support role has been created to manage incidents with AWS Support
Ensure IAM policies that allow full *:*" administrative privileges are not created"
Ensure credentials unused for 90 days or greater are disabled
Ensure access keys are rotated every 90 days or less
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires minimum password length of 14 or greater
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure VPC flow logging is enabled in all VPCs
Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
Ensure the default security group of every VPC restricts all traffic
Avoid the use of the root" account"
Ensure a log metric filter and alarm exist for unauthorized API calls
Ensure a log metric filter and alarm exist for security group changes
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Ensure a log metric filter and alarm exist for changes to network gateways
Ensure a log metric filter and alarm exist for route table changes
Ensure a log metric filter and alarm exist for VPC changes
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Ensure a log metric filter and alarm exist for usage of root" account"
Ensure a log metric filter and alarm exist for IAM policy changes
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Ensure no root account access key exists
Ensure MFA is enabled for the root" account"
Ensure IAM password policy requires at least one uppercase letter
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail log file validation is enabled
Ensure AWS Config is enabled
Ensure rotation for customer created CMKs is enabled
 Prowler Group 1 , 2, 3, 4
1.0 Identity and Access Management - CIS only - [group1] ***********

1.1 [check11] Avoid the use of the root account (Scored)

1.2 [check12] Ensure multi-factor authentication (MFA) is enabled for all IAM users that ha

1.3 [check13] Ensure credentials unused for 90 days or greater are disabled (Scored)

1.4 [check14] Ensure access keys are rotated every 90 days or less (Scored)

1.5 [check15] Ensure IAM password policy requires at least one uppercase letter (Scored)

1.6 [check16] Ensure IAM password policy require at least one lowercase letter (Scored)

1.7 [check17] Ensure IAM password policy require at least one symbol (Scored)

1.8 [check18] Ensure IAM password policy require at least one number (Scored)

1.9 [check19] Ensure IAM password policy requires minimum length of 14 or greater (Scored)

1.10 [check110] Ensure IAM password policy prevents password reuse: 24 or greater (Scored)

1.11 [check111] Ensure IAM password policy expires passwords within 90 days or less (Scored

1.12 [check112] Ensure no root account access key exists (Scored)

1.13 [check113] Ensure MFA is enabled for the root account (Scored)

1.14 [check114] Ensure hardware MFA is enabled for the root account (Scored)

1.15 [check115] Ensure security questions are registered in the AWS account (Not Scored)

1.16 [check116] Ensure IAM policies are attached only to groups or roles (Scored)

1.17 [check117] Maintain current contact details (Not Scored)

1.18 [check118] Ensure security contact information is registered (Not Scored)

1.19 [check119] Ensure IAM instance roles are used for AWS resource access from instances (N

1.20 [check120] Ensure a support role has been created to manage incidents with AWS Support

1.21 [check121] Do not setup access keys during initial user setup for all IAM users that ha

1.22 [check122] Ensure IAM policies that allow full "*:*" administrative privileges are not
7.74 [extra774] Ensure credentials unused for 30 days or greater are disabled

4.0 Networking - CIS only - [group4] *******************************

4.1 [check41] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (Sc

4.2 [check42] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 (

4.3 [check43] Ensure the default security group of every VPC restricts all traffic (Scored)

4.4 [check44] Ensure routing tables for VPC peering are "least access" (Not Scored)
[ec2-user@ip-172-31-4-164 skymap-prowler-master]$ ./prowler -l -g group3

3.0 Monitoring - CIS only - [group3] *******************************

3.1 [check31] Ensure a log metric filter and alarm exist for unauthorized API calls (Scored

3.2 [check32] Ensure a log metric filter and alarm exist for Management Console sign-in wit

3.3 [check33] Ensure a log metric filter and alarm exist for usage of root account (Scored)

3.4 [check34] Ensure a log metric filter and alarm exist for IAM policy changes (Scored)

3.5 [check35] Ensure a log metric filter and alarm exist for CloudTrail configuration chang

3.6 [check36] Ensure a log metric filter and alarm exist for AWS Management Console authent

3.7 [check37] Ensure a log metric filter and alarm exist for disabling or scheduled deletio

3.8 [check38] Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scor

3.9 [check39] Ensure a log metric filter and alarm exist for AWS Config configuration chang

3.10 [check310] Ensure a log metric filter and alarm exist for security group changes (Scor

3.11 [check311] Ensure a log metric filter and alarm exist for changes to Network Access Co

3.12 [check312] Ensure a log metric filter and alarm exist for changes to network gateways

3.13 [check313] Ensure a log metric filter and alarm exist for route table changes (Scored)

3.14 [check314] Ensure a log metric filter and alarm exist for VPC changes (Scored)

2.0 Logging - CIS only - [group2] **********************************

2.1 [check21] Ensure CloudTrail is enabled in all regions (Scored)

2.3 [check23] Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)

2.4 [check24] Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)

2.5 [check25] Ensure AWS Config is enabled in all regions (Scored)

2.6 [check26] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Score

2.7 [check27] Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)

2.8 [check28] Ensure rotation for customer created CMKs is enabled (Scored)

2.9 [check29] Ensure VPC Flow Logging is Enabled in all VPCs (Scored)