|
AWS EC2 Best Practices
Amazon Elastic Cloud Compute (EC2) provides on demand compute capacity that can be tailored to meet your specific system requirements. EC2 servers can be configured and launched in a matter of minutes, allowing customers to scale up and down as usage requirements change.
Cloud Conformity monitors Amazon EC2 with the following rules:
Ensure AWS AMIs are using proper naming conventions to follow AWS tagging best practices.
Ensure that your existing AMIs are encrypted to meet security and compliance requirements.
Ensure your AWS account does not reach the limit set by Amazon for the number of instances.
Ensure an IAM Role for Amazon EC2 is created for app tier.
Ensure all customer owned Amazon Machine Images for app tier are not shared publicly.
Ensure all AWS EC2 instances are launched from approved AMIs.
Ensure there are no AWS EC2 instances launched from blocklisted AMIs.
Ensure there is no EC2 instance with the instance type blocklisted, available in your AWS account.
Ensure that your EC2 instances do not reach the limit set by AWS for the number of vCPUs.
Ensure default security groups restrict all public traffic to follow AWS security best practices.
Ensure default EC2 security groups are not in use in order to follow AWS security best practices.
Ensure AWS EC2 security group rules have descriptive text for organization and documentation.
Check for any AMIs older than 180 days available within your AWS account.
Ensure all your AWS EC2 instances are of a given instance type (e.g. m3.medium).
Ensure your AWS account has not reached the limit set for the number of EC2 instances.
Ensure EC2 dedicated instances are regularly reviewed for cost optimization (informational).
Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely.
Ensure your AWS servers are using the latest generation of EC2 instances for price-performance improvements.
Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform.
Ensure EC2 Instances are using proper naming conventions to follow AWS tagging best practices.
Ensure no backend EC2 instances are running in public subnets.
Identify any AWS EC2 instances that have scheduled events and take action to resolve them.
Ensure that the security group(s) associated with an EC2 instance does not have an excessive number of rules defined.
Ensure EC2 instances have the required tenancy for security and regulatory compliance requirements.
Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.
Check for running AWS EC2 instances older than 180 days available within your AWS account.
Use Instance Profiles/IAM Roles to appropriately grant permissions to applications running on amazon EC2 instances
Ensure that none of your AWS EC2 Reserved Instance purchases have been failed.
Ensure that none of your AWS EC2 Reserved Instance purchases are pending.
Ensure EC2 Reserved Instance purchases are regularly reviewed for cost optimization (informational).
Ensure that your account does not reach the limit set by AWS for the number of allocated Elastic IPs.
Ensure that your account does not reach the limit set by AWS for the number of Elastic IPs.
Ensure that Hibernation feature is enabled for EBS-backed EC2 instances to retain memory state across instance stop/start cycles.
Identify idle AWS EC2 instances and stop or terminate them in order to optimize AWS costs.
Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices.
Identify overutilized EC2 instances and upgrade them to optimize application response time.
Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.
Ensure your AWS account does not have an excessive number of security groups per region.
Ensure EC2 security groups prefixed with "launch-wizard" are not in use in order to follow AWS security best practices.
Ensure security groups are using proper naming conventions to follow AWS tagging best practices.
Ensure there are no EC2 security groups in your AWS account that open range of ports to allow incoming traffic.
Ensure your EC2 security groups do not have an excessive number of rules defined.
Ensure no EC2 security group allows inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.
Identify and remove any unassociated Elastic IP (EIP) addresses for cost optimization.
Identify underutilized EC2 instances and downsize them in order to optimize your AWS costs.
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 445 and (CIFS).
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP and UDP port 53 (DNS).
Ensure no security group allows unrestricted inbound access to TCP port 9200 (Elasticsearch).
Ensure no EC2 security group allows unrestricted inbound access to TCP ports 20 and 21 (FTP).
Ensure no security group allows unrestricted inbound access to TCP port 80 (HTTP).
Ensure no security group allows unrestricted inbound access to TCP port 443 (HTTPS).
Ensure no security group allows unrestricted inbound access using Internet Control Message Protocol (ICMP).
Ensure no EC2 security group allows unrestricted inbound access to any uncommon ports.
Ensure no security group allows unrestricted ingress access to MongoDB port 27017
Ensure no security group allows unrestricted inbound access to TCP port 1433 (MSSQL).
Ensure no security group allows unrestricted inbound access to TCP port 3306 (MySQL).
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).
Ensure no security group allows unrestricted inbound access to TCP port 1521 (Oracle Database).
Ensure that your EC2 security groups do not allow unrestricted outbound/egress access.
Ensure no security group allows unrestricted inbound access to TCP port 5432 (PostgreSQL Database).
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 3389 (RDP).
Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC).
- Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP).
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 22 (SSH).
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23 (Telnet).
Identify and remove any unused Amazon Machine Images (AMIs) to optimize AWS costs.
Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices.
Ensure that your Amazon EC2 Reserved Instances are being fully utilized.
Ensure unused AWS Elastic Network Interfaces (ENIs) are removed to follow best practices.
Ensure an IAM Role for Amazon EC2 is created for web tier.
Ensure all customer owned Amazon Machine Images for web tier are not shared publicly.