Security Policies¶

All S3 buckets must have server-side encryption enabled to protect data at rest.

Use AWS KMS for server-side encryption for better key management and auditing.

S3 buckets must have block_public_acls enabled to prevent public access via ACLs.

S3 buckets must have block_public_policy enabled to prevent public bucket policies.

S3 buckets must have ignore_public_acls enabled to override any public ACLs.

S3 buckets must have restrict_public_buckets enabled.

S3 buckets must not use public-read ACL. Public read access exposes data to the internet.

S3 buckets must not use public-read-write ACL. Public write access is a critical risk.

Enable versioning for data protection and recovery from accidental deletion.

EC2 instances must use Instance Metadata Service v2 (IMDSv2) to prevent SSRF attacks.

EC2 instances must encrypt root EBS volumes to protect data at rest.

EC2 instances should avoid public IP addresses unless explicitly required.

Security groups must not allow SSH (port 22) from 0.0.0.0/0.

Security groups must not allow RDP (port 3389) from 0.0.0.0/0.

Security groups must not allow all ports from 0.0.0.0/0.

Database ports (3306, 5432, 1433, 27017) must not be open to the internet.

RDS instances must have storage encryption enabled.

RDS instances must have publicly_accessible set to false.

RDS backup retention should be at least 7 days.

Enable deletion protection to prevent accidental database deletion.

Use Multi-AZ deployment for high availability.

IAM policies must not use * (wildcard) for actions. Follow the principle of least privilege.

Use managed policies instead of inline policies on IAM users for better governance.

IAM role trust policies should restrict who can assume the role.

CloudTrail logs must be encrypted with AWS KMS.

Enable log file validation to detect tampering.

Enable CloudTrail for all regions.

Enable automatic key rotation for KMS customer-managed keys.

KMS key deletion window should be at least 14 days.

All EBS volumes must be encrypted.

All EBS snapshots must be encrypted.

Enable X-Ray tracing for Lambda functions for observability.

Lambda functions should run inside a VPC for network isolation.

Enable access logging for Application Load Balancers.

ALB listeners must use HTTPS protocol.

Enable deletion protection for ALBs.

CloudWatch Log Groups should use KMS encryption.

CloudWatch Log Groups should have a retention period configured.

The default security group should restrict all inbound and outbound traffic.

Subnets should not auto-assign public IP addresses.

Secrets should use customer-managed KMS keys for encryption.

Secrets should have automatic rotation configured.

Large EC2 instances should be reviewed for right-sizing opportunities.

Very large instance types (xlarge+) should be justified.

Migrate from previous-generation instance types to current generation.

All resources must have an Environment tag.

Resources should have an Owner tag for accountability.

Resources should have a Project tag for cost allocation.

Resources should have a Name tag for identification.