CloudSploit Security Remediation Guides

CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.

Background

This repository is an extension of CloudSploit's open-source scanning engine. We first released the scanning engine in 2015, and this documentation repository is a natural follow up to that tool. The goal of these guides are to provide detailed steps on remediation common security issues in cloud services.

Table of Contents

• AWS
  • ACM
    • ACM Certificate Validation
  • AutoScaling
    • ASG Multiple AZ
  • CloudFront
    • CloudFront HTTPS Only
    • CloudFront Logging Enabled
    • Insecure CloudFront Protocols
    • Public S3 CloudFront Origin
    • Secure CloudFront Origin
  • CloudTrail
    • CloudTrail Bucket Access Logging
    • CloudTrail Bucket Delete Policy
    • CloudTrail Bucket Private
    • CloudTrail Enabled
    • CloudTrail Encryption
    • CloudTrail File Validation
    • CloudTrail To CloudWatch
  • CloudWatchLogs
    • CloudWatch Monitoring Metrics
  • ConfigService
    • Config Service Enabled
  • EC2
    • Cross VPC Public Private Communication
    • Default Security Group
    • Default VPC In Use
    • Detect EC2 Classic Instances
    • EBS Encrypted Snapshots
    • EBS Encryption Enabled
    • EC2 Instance Key Based Login
    • EC2 Max Instances
    • Elastic IP Limit
    • Encrypted AMI
    • Excessive Security Groups
    • Instance IAM Role
    • Instance Limit
    • NAT Multiple AZ
    • Open All Ports Protocols
    • Open CIFS
    • Open DNS
    • Open Elasticsearch
    • Open FTP
    • Open MySQL
    • Open NetBIOS
    • Open Oracle
    • Open PostgreSQL
    • Open RDP
    • Open RPC
    • Open SMBoTCP
    • Open SMTP
    • Open SQL Server
    • Open SSH
    • Open Telnet
    • Open VNC Client
    • Open VNC Server
    • Overlapping Security Groups
    • Public AMI
    • Subnet IP Availability
    • VPC Elastic IP Limit
    • VPC Flow Logs Enabled
    • VPC Multiple Subnets
  • ELB
    • ELB HTTPS Only
    • ELB Logging Enabled
    • ELB No Instances
    • Insecure Ciphers
  • Firehose
    • Firehose Delivery Streams Encrypted
  • IAM
    • Access Keys Extra
    • Access Keys Last Used
    • Access Keys Rotated
    • Certificate Expiry
    • Empty Groups
    • IAM User Admins
    • Maximum Password Age
    • Minimum Password Length
    • No User IAM Policies
    • Password Expiration
    • Password Requires Lowercase
    • Password Requires Numbers
    • Password Requires Symbols
    • Password Requires Uppercase
    • Password Reuse Prevention
    • Root Access Keys
    • Root Account In Use
    • Root MFA Enabled
    • SSH Keys Rotated
    • Users MFA Enabled
    • Users Password Last Used
  • KMS
    • KMS Default Key Usage
    • KMS Key Policy
    • KMS Key Rotation
    • KMS Scheduled Deletion
  • Kinesis
    • Kinesis Streams Encrypted
  • Lambda
    • Lambda Old Runtimes
  • RDS
    • RDS Automated Backups
    • RDS Encryption Enabled
    • RDS Multiple AZ
    • RDS Publicly Accessible
    • RDS Restorable
  • Redshift
    • Redshift Encryption Enabled
    • Redshift Publicly Accessible
  • Route53
    • Domain Auto Renew
    • Domain Expiry
    • Domain Transfer Lock
  • S3
    • S3 Bucket All Users ACL
    • S3 Bucket All Users Policy
    • S3 Bucket Logging
    • S3 Bucket Versioning
  • SES
    • Email DKIM Enabled
  • SNS
    • SNS Topic Policies
  • SQS
    • SQS Cross Account Access
    • SQS Encrypted
  • SSM
    • SSM Encrypted Parameters
  • SageMaker
    • Notebook Data Encrypted
    • Notebook Direct Internet Access
• Azure
  • Blob Service
    • Blob Service Immutable
  • File Service
    • File Service All Access ACL
  • Log Alerts
    • SQL Server Firewall Rule Alerts Monitor
    • Virtual Network Alerts Monitor
  • Queue Service
    • Queue Service All Access ACL
  • Resource Groups
    • Resource Groups
  • Security Center
    • Monitor Disk Encryption
  • Storage Accounts
    • Storage Accounts Encryption
    • Storage Accounts HTTPS
  • Table Service
    • Table Service All Access ACL
  • Virtual Machines
    • VM Agent Enabled
    • VM Auto Update Enabled
    • VM Data Disk Encryption
    • VM Endpoint Protection
    • VM OS Disk Encryption

Contributing

Please see the contributor's guide.