Best practice rules for Amazon EC2
Amazon Elastic Cloud Compute (EC2) provides on demand compute capacity that can be tailored to meet your specific system requirements. EC2 servers can be configured and launched in a matter of minutes, allowing customers to scale up and down as usage requirements change.
Trend Micro Cloud One™ – Conformity monitors Amazon EC2 with the following rules:
- AMI Naming Conventions
Ensure AWS AMIs are using proper naming conventions to follow AWS tagging best practices.
- AWS AMI Encryption
Ensure that your existing AMIs are encrypted to meet security and compliance requirements.
- Account Instance Limit
Ensure your AWS account does not reach the limit set by Amazon for the number of instances.
- App-Tier EC2 Instance Using IAM Roles
Ensure an IAM Role for Amazon EC2 is created for app tier.
- App-Tier Publicly Shared AMI
Ensure all customer owned Amazon Machine Images for app tier are not shared publicly.
- Approved/Golden AMIs
Ensure all AWS EC2 instances are launched from approved AMIs.
- Blocklisted AMIs
Ensure there are no AWS EC2 instances launched from blocklisted AMIs.
- Check for EC2 Instances with Blocklisted Instance Types
Ensure there is no EC2 instance with the instance type blocklisted, available in your AWS account.
- Check for Unrestricted Memcached Access
Ensure that no security group allows unrestricted inbound access on TCP/UDP port 11211 (Memcached).
- Check for Unrestricted Redis Access
Ensure that no security group allows unrestricted inbound access on TCP port 6379 (Redis).
- Check for vCPU-Based EC2 Instance Limit
Ensure that your EC2 instances do not reach the limit set by AWS for the number of vCPUs.
- Default Security Group Unrestricted
Ensure default security groups restrict all public traffic to follow AWS security best practices.
- Default Security Groups In Use
Ensure default EC2 security groups are not in use in order to follow AWS security best practices.
- Descriptions for Security Group Rules
Ensure AWS EC2 security group rules have descriptive text for organization and documentation.
- EC2 AMI Too Old
Check for any AMIs older than 180 days available within your AWS account.
- EC2 Desired Instance Type
Ensure all your AWS EC2 instances are of a given instance type (e.g. m3.medium).
- EC2 Instance Counts
Ensure your AWS account has not reached the limit set for the number of EC2 instances.
- EC2 Instance Dedicated Tenancy
Ensure EC2 dedicated instances are regularly reviewed for cost optimization (informational).
- EC2 Instance Detailed Monitoring
Ensure that detailed monitoring is enabled for the AWS EC2 instances that you need to monitor closely.
- EC2 Instance Generation
Ensure your AWS servers are using the latest generation of EC2 instances for price-performance improvements.
- EC2 Instance In VPC
Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform.
- EC2 Instance Naming Conventions
Ensure EC2 Instances are using proper naming conventions to follow AWS tagging best practices.
- EC2 Instance Not In Public Subnet
Ensure no backend EC2 instances are running in public subnets.
- EC2 Instance Scheduled Events
Identify any AWS EC2 instances that have scheduled events and take action to resolve them.
- EC2 Instance Security Group Rules Counts
Ensure that the security group(s) associated with an EC2 instance does not have an excessive number of rules defined.
- EC2 Instance Tenancy
Ensure EC2 instances have the required tenancy for security and regulatory compliance requirements.
- EC2 Instance Termination Protection
Ensure Termination Protection feature is enabled for EC2 instances that are not part of ASGs.
- EC2 Instance Too Old
Check for running AWS EC2 instances older than 180 days available within your AWS account.
- EC2 Instance Using IAM Roles
Use Instance Profiles/IAM Roles to appropriately grant permissions to applications running on amazon EC2 instances
- EC2 Reserved Instance Payment Failed
Ensure that none of your AWS EC2 Reserved Instance purchases have been failed.
- EC2 Reserved Instance Payment Pending
Ensure that none of your AWS EC2 Reserved Instance purchases are pending.
- EC2 Reserved Instance Recent Purchases
Ensure EC2 Reserved Instance purchases are regularly reviewed for cost optimization (informational).
- EC2-Classic Elastic IP Address Limit Checkup
Ensure that your account does not reach the limit set by AWS for the number of allocated Elastic IPs.
- EC2-VPC Elastic IP Address Limit Checkup
Ensure that your account does not reach the limit set by AWS for the number of Elastic IPs.
- Enable AWS EC2 Hibernation
Ensure that Hibernation feature is enabled for EBS-backed EC2 instances to retain memory state across instance stop/start cycles.
- Idle EC2 Instance
Identify idle AWS EC2 instances and stop or terminate them in order to optimize AWS costs.
- Instance In Auto Scaling Group
Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices.
- Overutilized AWS EC2 Instances
Identify overutilized EC2 instances and upgrade them to optimize application response time.
- Publicly Shared AMI
Ensure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.
- Reserved Instance Lease Expiration In The Next 30 Days
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.
- Reserved Instance Lease Expiration In The Next 7 Days
Ensure Amazon EC2 Reserved Instances (RI) are renewed before expiration.
- Security Group Excessive Counts
Ensure your AWS account does not have an excessive number of security groups per region.
- Security Group Name Prefixed With 'launch-wizard'
Ensure EC2 security groups prefixed with "launch-wizard" are not in use in order to follow AWS security best practices.
- Security Group Naming Conventions
Ensure security groups are using proper naming conventions to follow AWS tagging best practices.
- Security Group Port Range
Ensure there are no EC2 security groups in your AWS account that open range of ports to allow incoming traffic.
- Security Group Rules Counts
Ensure your EC2 security groups do not have an excessive number of rules defined.
- SecurityGroup RFC 1918
Ensure no EC2 security group allows inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.
- Unassociated Elastic IP Addresses
Identify and remove any unassociated Elastic IP (EIP) addresses for cost optimization.
- Underutilized EC2 Instance
Identify underutilized EC2 instances and downsize them in order to optimize your AWS costs.
- Unrestricted CIFS Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 445 and (CIFS).
- Unrestricted DNS Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP and UDP port 53 (DNS).
- Unrestricted Elasticsearch Access
Ensure no security group allows unrestricted inbound access to TCP port 9200 (Elasticsearch).
- Unrestricted FTP Access
Ensure no EC2 security group allows unrestricted inbound access to TCP ports 20 and 21 (FTP).
- Unrestricted HTTP Access
Ensure no security group allows unrestricted inbound access to TCP port 80 (HTTP).
- Unrestricted HTTPS Access
Ensure no security group allows unrestricted inbound access to TCP port 443 (HTTPS).
- Unrestricted ICMP Access
Ensure no security group allows unrestricted inbound access using Internet Control Message Protocol (ICMP).
- Unrestricted Inbound Access on Uncommon Ports
Ensure no EC2 security group allows unrestricted inbound access to any uncommon ports.
- Unrestricted MongoDB Access
Ensure no security group allows unrestricted ingress access to MongoDB port 27017
- Unrestricted MsSQL Access
Ensure no security group allows unrestricted inbound access to TCP port 1433 (MSSQL).
- Unrestricted MySQL Access
Ensure no security group allows unrestricted inbound access to TCP port 3306 (MySQL).
- Unrestricted NetBIOS Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).
- Unrestricted Oracle Access
Ensure no security group allows unrestricted inbound access to TCP port 1521 (Oracle Database).
- Unrestricted Outbound Access on All Ports
Ensure that your EC2 security groups do not allow unrestricted outbound/egress access.
- Unrestricted PostgreSQL Access
Ensure no security group allows unrestricted inbound access to TCP port 5432 (PostgreSQL Database).
- Unrestricted RDP Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 3389 (RDP).
- Unrestricted RPC Access
Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC).
- Unrestricted SMTP Access
- Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 25 (SMTP).
- Unrestricted SSH Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 22 (SSH).
- Unrestricted Telnet Access
Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 23 (Telnet).
- Unused AMI
Identify and remove any unused Amazon Machine Images (AMIs) to optimize AWS costs.
- Unused AWS EC2 Key Pairs
Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices.
- Unused EC2 Reserved Instances
Ensure that your Amazon EC2 Reserved Instances are being fully utilized.
- Unused Elastic Network Interfaces
Ensure unused AWS Elastic Network Interfaces (ENIs) are removed to follow best practices.
- Web-Tier EC2 Instance Using IAM Roles
Ensure an IAM Role for Amazon EC2 is created for web tier.
- Web-Tier Publicly Shared AMI
Ensure all customer owned Amazon Machine Images for web tier are not shared publicly.